Earlier this year the Information Commissioner’s Office (ICO) issued its one year update on the General Data Protection Regulation (GDPR). Some interesting points emerged.
The Information Commissioner has indicated that in a March 2019 survey, 64% of respondents said that they had seen an increase in customers and service users exercising their information rights since the GDPR came into force on 25 May 2018. This is certainly supported by the ICO’s own experience where, for example, the ICO’s helpline, live chat and written advice services received over 470,000 contacts in 2018/19 (a 66% increase from 2017/18). The ICO’s GDPR guidance was accessed 16.6 million times between 1 April 2018 and 24 May 2019.
The ICO has indicated that further advice will be issued in the coming year, in particular in relation to data sharing, direct marketing, journalism and political parties.
Breaches and enforcement
In terms of enforcement the ICO has indicated that the focus is going to be on those breaches involving highly sensitive information, adversely affecting large groups of individuals or those impacting vulnerable individuals. The ICO has indicated that it will be targeting its most significant powers on organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.
The ICO has issued 15 assessment notices under the GDPR in conjunction with its investigations into data analytics for political purposes, political parties, data brokers, credit reference agencies and others. A further 11 information notices have been issued to allow the ICO to progress investigations.
In terms of personal data breaches the ICO received approximately 14,000 personal data breach reports in the period from 25 May 2018 to 1 May 2019. This compares with approximately 3,300 in the year from 1 April 2017.
Of those cases that were notified over 12,000 were closed during the year. Of those, only approximately 17.5% required action from the organisation concerned and less than 0.5% led to either an improvement plan or a civil monetary penalty. This meant that over 82% of cases required no action from the organisation.
The ICO gave the following examples:
A nursery which produced father’s day cards for children to take home where two children had the same name and child A’s photo was put in child B’s card and vice versa.No further action was required and the ICO took the view that the breach was not reportable as it was unlikely that individuals’ rights and freedoms would be impacted.Advice was provided to the nursery about reporting thresholds.
An organisation was late submitting two reports to the ICO. One did not meet the reporting threshold. Advice had been given previously and some steps had been taken to make improvements to the organisation’s breach reporting process. The ICO sought further assurances about future improvements to practices and reporting.
As a result of administrative errors an organisation disclosed personal data to incorrect recipients. Whilst the ICO’s investigation established that this was not a systemic failing it demonstrated that established policies and procedures were not always being followed. The organisation was issued with a reprimand and told to take certain steps to improve compliance with the GDPR including ensuring that all staff attended mandatory training, that policies and procedures were enforced and reiterated to staff on a regular basis and that contact details were checked on all correspondence.
The ICO has indicated that from 25 May 2018 to 1 May 2019 it received over 41,000 data protection concerns from the public (up from approximately 21,000 in 2017/18).
The most frequent complaints centred on subject access requests (approximately 38% of complaints, a similar proportion to that before the GDPR came into force).
The ICO has identified some sectors which have been responsible for higher numbers of breach reports and data protection concerns.It highlighted in particular, the health sector (16% of personal data breaches and 7% of complaints), local government (8% of personal data breaches and 9% of complaints) and lenders (6% of complaints).
The overall increase in reports/complaints seems to be similar to that being experienced across Europe where from 25 May 2018 to 1 May 2019 there were approximately 240,000 data protection complaints, data breaches and investigations or similar issues of which the ICO in the UK received over 55,000 (approximately 23%).
In order to deal with the increased numbers of incidents and reports and complaints the ICO has expanded its workforce from 505 to more than 700 and anticipates having 825 full-time equivalent staff by early 2020/21 with the effect that the ICO has almost doubled in size in three years.
All of this reinforces the view that individuals are much more aware of their data rights than they used to be and much more willing to complain to the regulator in the event that they feel there has been a breach of those rights. This, in turn, highlights the need for organisations to have proper procedures and policies in place and to manage the risk that is created by the increased obligations on them and the risk that if those obligations are breached a claim will be pursued and/or that regulatory action will be taken. This reinforces the need for organisations to consider cyber cover as part of their overall risk management strategy and emphasises the importance of brokers and insurers drawing the attention of their customers to the cover available.